首先要明确一点 SingleSignOutFilter 会拦截所有请求,而不是仅仅拦截logout时的请求
在sso client应用中存在一个Map<Ticket,HttpSession>对象
在sso server认证用户名密码成功后,会redirect一个带有ticket的请求到sso client
这时就执行下面的逻辑,ticket和当前session会被缓存到Map
退出时,sso server发送带logoutRequest参数的http请求到每一个sso client
这时就会执行下面的逻辑 --- 删除ticket对应的session 然后销毁session
public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException { final HttpServletRequest request = (HttpServletRequest) servletRequest; //add for webdav sso String reqURI = ((HttpServletRequest)request).getRequestURI(); boolean isCesso = false; if(reqURI.endsWith("/webdav") || reqURI.contains("/webdav/")){ if(request.getHeader(WEBDAV_CESSO_FLAG)!=null && !request.getHeader(WEBDAV_CESSO_FLAG).equals("")) isCesso = Boolean.valueOf(request.getHeader(WEBDAV_CESSO_FLAG).toString()); if(!isCesso){ filterChain.doFilter(servletRequest, servletResponse); return; } } //退出时,cas server向cas client发送post请求,其中包括了sessionId,此filter获取session并销毁之 if ("POST".equals(request.getMethod())) { final String logoutRequest = request.getParameter("logoutRequest"); if (logoutRequest!=null && !"".equals(logoutRequest)) { final String sessionIdentifier = XmlUtils.getTextForElement(logoutRequest, "SessionIndex"); if (!"".equals(sessionIdentifier)&& sessionIdentifier!=null) { log.info(" client---Remove A Session Indentify : "+sessionIdentifier); final HttpSession session = SESSIONSTORAGE.removeByMappingId(sessionIdentifier); //首先注销本地session request.getSession().invalidate(); log.info("client---invalidate request's Session"); if (session != null) { session.invalidate(); } return; } } } else { //非logout请求,判断是否包含ticket参数,如果包含缓存ticket session到map String artifact = request.getParameter(this.artifactParameterName); final HttpSession session = request.getSession(); if(null == artifact && null != session.getAttribute("ticket")){ artifact = (String)session.getAttribute("ticket"); } if (!"".equals(artifact)&&!"null".equals(artifact) && artifact!=null && SESSIONSTORAGE.getSessionByMappingID(artifact)==null) { log.info(" client---Add A New Session Indentify : "+artifact); SESSIONSTORAGE.addSessionByMappingId(artifact, session); } } filterChain.doFilter(servletRequest, servletResponse); }